Definition & types of access control models & methods (updated 2023)
If you’ve taken a CISSP Training Boot Camp, you know about access control. You also know information security comes with a big responsibility. That includes creating a system that allows employees to access the information and tools they need to do their jobs effectively, and it also means preventing the wrong people from accessing the same information.
Sure, you can designate a system administrator to grant access requests on a case-by-case basis, but this isn’t nearly as effective as creating access control models that automatically confirm or deny access to networks, systems and software to the right people.
Most areas of cybersecurity rely on creating access controls to approve access requests automatically and ensuring no one can trick those controls into providing access to those who would leak or threaten information systems.
As organizations grow larger and the types of access required to conduct daily business grow more complex, so do the ways information security (IS) professionals structure access approval. That’s why learning and keeping up with the most effective logical access control methods and models is crucial to passing the (ISC)² Certified Information Systems Security Professional (CISSP) certification exam, proving to other professionals you know how to securely manage information.
Access control is covered extensively in the CISSP Identity and Access Management domain. Let’s look at some of the latest methods for access controls in CISSP training, how they differ and how this knowledge can be practically applied in the CISSP exam.
Main access control models
Below are the models for access control in Infosec’s Access Control Fundamentals Course, which are covered extensively on the CISSP exam. At the heart of each model is the concept of exchanges between subjects and objects. A subject is anything, whether it be a person, software program or another entity, that requests access to an object, which is typically defined as anything that contains information.
Each of the following access control models uses different methods for granting permission to the subjects and controlling access to the objects.
1. Discretionary Access Control (DAC)
This access control model gives subjects the most freedom to access objects but also provides a lower level of security than other models on this list. It works by a security administrator creating a resource profile for the object that contains an access control list of those who can access an object and in what capacity. However, in addition to the administrator, the owner or creator of the object has the same ability to manage access. While this can provide flexibility and allow new people who need access to acquire it, the main downside to this model is that the owner can provide access to whomever they wish — including the wrong subjects.
2. Mandatory Access Control (MAC)
Nearly the opposite of DAC, the Mandatory Access Control model has one administrator in charge of granting access to subjects by designating clearance levels to any entity that accesses information. An object is given a clearance level based on its security requirements, and only subjects with the same clearance level or higher can access that object. Two security models are commonly used to manage a MAC model based on whether information integrity or confidentiality is the priority: Biba and Bell-LaPadula.
Biba is best for maintaining information integrity in access control models, and allows subjects with lower-level clearance to read higher-level clearance objects, and subjects with higher-level clearance to write for lower-level clearance objects.
Bell-LaPadula is a little more rigid and is commonly used in government or military roles. In this model, even subjects with higher-level clearance can write at their level and no higher or lower, but can still read objects with lower clearance.
While the Mandatory Access Control model is one of the most secure in the IS realm, getting access approval is often very slow and time-consuming.
3. Role-Based Access Control (RBAC)
This model is a standard part of access control implementation in ICS, or Industrial Control Systems. Instead of assigning clearance levels to approve access, this access control model grants access to objects based on the organizational role or job title assigned to the subject. Creating resource profiles for access based on job roles can be a great, streamlined option for organizations with clearly defined roles and associated objects. However, it’s not an ideal access control model if your job requires you to work with many departments or on projects with wildly differing access levels.
4. Rule-Based Access Control (RuBAC)
This access control model uses a programmed set of “conditions,” or rules, input by a system administrator to determine whether a subject should have access to an object. While some models only consider the subject and object when granting permission, RuBAC also considers “action.” It’s similar to if-then and if-then-else statements used by coders, and this model can utilize many conditions and variables to grant or deny permissions. An organization with information that should only be accessed at a certain time of day or in a certain geographic location might benefit from a RuBac model, but changing the set of conditions often takes time and coding knowledge.
Less common access control models
While the following control models aren’t as commonly used as the four listed above, you’ll still need to know about them for the CISSP exam. Additionally, there are some specific situations where these access control methods can be particularly useful.
1. Attribute-Based Access Control (ABAC)
It may help to think of this form of access control as a combination of the RBAC and RuBAC models. Permissions are granted based on the subject’s clearance designation, the type of object being requested, the action being performed on the object, and the request's environment. For example, ABAC can assess your designated role, the type of file you’re trying to access, whether you’re trying to read or modify the file and what time of day you’re requesting access before granting permission. As you can probably tell, this access control model allows system administrators much more control over whether permissions are granted but also requires a lot of coding or programming to create or modify.
2. Risk-Adaptive Access Control (RAdAC)
RAdAC is one of the best access control models for administrators with an eye for threat and attack analysis. In addition to assessing the subject’s clearance and authority, unique security metrics are also used to determine access. These metrics can include the type of connection a subject uses to request access, their physical location, and the authentication method used. This can be an ideal model for organizations where many employees request access to highly sensitive information in various ways and where information security varies according to various factors. However, like other granular access control methods, configuring and modifying this model can take a lot of work to get right. And since RAdAC means permission can change based on changing security conditions, it’s not always the easiest for end-users.
3. Identity-Based Access Control (IBAC)
This is a very straightforward model for controlling access that can be used for consumer-facing information systems. A control access list is created defining permissions based on a subject’s singular identity, defining what they, in particular, are and aren’t allowed to access. This is often done using a login ID and password but can include fingerprinting or facial recognition data to approve access. IBAC can be a good option for systems with one subject requesting access to one low-security object; however, fingerprinting and facial recognition data are subject to change, privacy concerns and bias, and password systems put even more responsibility on the end user, sometimes causing “password fatigue.”
4. Organization-Based Access Control (OrBAC)
Like the Role-Based Access Control model, OrBac also considers a subject’s designated role, the action being performed, and the permissions associated with the object. However, before assessing these other factors, OrBAC also considers an additional level at the top of the hierarchy: the declared organization. This can be a good option for companies that are part of a larger parent company with multiple subsidiaries all sharing the same access and information. With so many different levels of information being shared in company structures like these, this access control method can help manage permissions without creating unique models for each part of your larger organization.
Logical vs. physical access control
In cybersecurity, these access control models are often viewed through the lens of networks and information systems. However, the CISSP exam is very comprehensive, and to pass, you’ll need to remember throughout the test that there are both logical and physical access controls, and they’re often used in combination. Logical access tends to cover digital assets, like networks, digital data, software and system files. Permissions for logical access are typically governed by access control lists and permission designations that analyze the subject making the request, the object being requested and sometimes other factors like connection security, role and IP location.
However, managing systems for physical access is also crucial to help an organization run smoothly. Physical access concerns providing access to buildings, specific rooms, offsite locations and physical assets like computers and other equipment. Physical access control methods often use more direct authentication tools like electronic keycards, personal numerical codes and common pin tumbler locks and padlocks.
Biometrics are an increasingly popular form of physical access control and have become a noticeable part of the access control used by Apple ID. Biometric access includes scanning subjects’ faces, fingerprints, irises, retinas or voices to confirm identity and access levels. While biometrics are often much more secure and accurate than logical access methods, they present some obstacles for end users due to requirements for consistency. For example, proper facial and fingerprint recognition requires adequate lighting, and voice identification relies on a quiet environment to work. Plus, facial, iris and voice recognition depend on consistency, and not every member of an organization can look or sound the same way from day to day.
Both on the exam and in real-life scenarios, the type of access control model you use will depend on the size of the organization, the level of security that’s required and the type of objects that you’ll be working with. Sometimes, flexibility for end users is valued more highly at organizations than the tightness of the security and other times, it’s the opposite.
Many institutions combine two or more access control methods into a hybrid model that perfectly suits their needs. And as an organization grows and changes, so too can its forms of access control, moving from broad to granular. However, the knowledge you gain from passing the CISSP certification exam will prove you have the skills to adapt to this ever-changing landscape.